US10277392B2 - Cracking devices and methods thereof - Google Patents

Cracking devices and methods thereof Download PDF

Info

Publication number
US10277392B2
US10277392B2 US15/598,053 US201715598053A US10277392B2 US 10277392 B2 US10277392 B2 US 10277392B2 US 201715598053 A US201715598053 A US 201715598053A US 10277392 B2 US10277392 B2 US 10277392B2
Authority
US
United States
Prior art keywords
hypothesized
data
secret key
keys
leakage
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US15/598,053
Other versions
US20170353295A1 (en
Inventor
Sung-Shine Lee
Szu-Chi Chung
Chun-Yuan Yu
Hsi-Chia Chang
Chen-Yi Lee
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Winbond Electronics Corp
Original Assignee
Winbond Electronics Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Winbond Electronics Corp filed Critical Winbond Electronics Corp
Assigned to WINBOND ELECTRONICS CORP. reassignment WINBOND ELECTRONICS CORP. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CHANG, HSI-CHIA, CHUNG, SZU-CHI, LEE, CHEN-YI, LEE, SUNG-SHINE, YU, CHUN-YUAN
Publication of US20170353295A1 publication Critical patent/US20170353295A1/en
Application granted granted Critical
Publication of US10277392B2 publication Critical patent/US10277392B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • G06F17/5009
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F30/00Computer-aided design [CAD]
    • G06F30/20Design optimisation, verification or simulation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2111/00Details relating to CAD techniques
    • G06F2111/10Numerical modelling
    • G06F2217/16
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the disclosure relates generally to cracking devices and methods for side-channel attacks, and more particularly relates to cracking devices and methods configured to perform a calculation on a leakage model of correlation power analysis for improving cracking efficiency.
  • SCAs Side-Channel Attacks
  • a device's physical properties such as power, electromagnetic waves, temperature, etc.
  • Research from side-channel attacks reveals the potential weaknesses of devices and hence makes designers aware of possible security breaches.
  • designers have to take side-channel attacks into consideration in the design process, and test the designed IOT device using every kind of side-channel attack technique.
  • a cracking method for cracking a secret key of an encrypting device comprises: building up a leakage model for the encrypting device; performing a mathematical calculation on the leakage model, according to a plurality of sets of input data, to generate a mathematical model; generating a plurality of sets of hypothesized keys; generating a plurality of sets of simulation data corresponding to the hypothesized keys using the mathematical model; providing the input data for the encrypting device and detecting a plurality of sets of leakage data generated by the encrypting device; performing the mathematical calculation on the leakage data to generate calculated data; determining a correlation between each of the simulation data and the calculated data; and determining one of the hypothesized keys to be consistent with the secret key according to the correlation.
  • a cracking device for cracking a secret key of an encrypting device comprises: a controller; and a non-volatile storage device.
  • the non-volatile storage device is configured to store a plurality of instructions.
  • the controller executes the respective steps according to the instructions.
  • the steps comprise: building up a leakage model for the encrypting device; performing a mathematical calculation on the leakage model, according to a plurality of sets of input data, to generate a mathematical model; generating a plurality of sets of hypothesized keys; generating a plurality of sets of simulation data corresponding to the hypothesized keys using the mathematical model; providing the input data for the encrypting device and detecting a plurality of sets of leakage data generated by the encrypting device; performing the mathematical calculation on the leakage data to generate calculated data; and determining one of the hypothesized keys to be consistent with the secret key according to a correlation between each of the simulation data and the calculated data.
  • FIG. 1 is a schematic diagram of a cracking device in accordance with an embodiment of the invention
  • FIG. 2 is a flow chart of a cracking method in accordance with an embodiment of the invention.
  • FIG. 3 is a block diagram of a cracking device in accordance with an embodiment of the invention.
  • FIG. 1 is a schematic diagram of a cracking device in accordance with an embodiment of the invention.
  • the encrypting device 10 is configured to encrypt the input data DI according to the secret key SK and to generate the leakage data DO in the encrypting process.
  • the leakage data DO may be timing information, an alarm, an indicating light, power consumption, leaked electromagnetic waves, etc.
  • the cracking device 100 cracks the secret key SK of the encrypting device 10 according to a cracking method which will be described in detail in the following paragraphs.
  • FIG. 2 is a flow chart of a cracking method in accordance with an embodiment of the invention. For the sake of explaining the invention in detail, the explanation of FIG. 2 will be accompanied with FIG. 1 .
  • the cracking device 100 builds up a leakage model for the encrypting device 10 (Step S 21 ).
  • the leakage model is a function of the leakage data DO generated by the encrypting device 10 based on the input data DI and the secret key SK. That is, the leakage model generates the different leakage data DO with a first variable related to only the input data DI, a second variable related to only the secret key SK, and a third variable related to both the input data DI and the secret key SK.
  • the cracking device 100 performs a mathematical calculation on the leakage model, according to a plurality of sets of input data DI, to generate a mathematical model (Step S 22 ), for eliminating the second variable only related to the secret key SK.
  • the simplest mathematical calculation is to perform a calculation of addition or subtraction on the leakage model, based on a plurality of sets of input data DI, to generate the mathematical model.
  • the cracking device 100 hypothesizes the secret key SK used by the encrypting device 10 to generate a plurality of sets of hypothesized keys (Step S 23 ).
  • the secret key SK may be a 128-bit key.
  • the cracking device 100 divides the secret key SK into several parts and hypothesizes each part of the secret key SK to generate a plurality of sets of hypothesized keys. It is illustrated that each part of the secret key SK includes 8 bits. The cracking device 100 hypothesizes 8 bits of the secret key SK to generate 2 8 sets of hypothesized keys.
  • the cracking device 100 Compared to hypothesizing the 128-bit secret key SK to generate 2 128 sets of hypothesized keys in an exhaustive search, the cracking device 100 provided herein can greatly reduce the number of hypothesized keys that are necessary, so that the cracking efficiency should be greatly improved.
  • the cracking device 100 further inputs the plurality of sets of hypothesized keys to the mathematical model to generate a plurality of sets of simulation data (Step S 24 ). Since the influence of the second variable related to only the secret key SK has been removed from the mathematical model using the mathematical calculation, the plurality of sets of simulation data are merely related to the first variable and the third variable.
  • the cracking device 100 also provides the plurality of sets of input data DI for the encrypting device 10 to detect a plurality of sets of leakage data DO generated by the encrypting device 10 based on the input data DI and the secret key SK (Step S 25 ).
  • the cracking device 100 performs the mathematical calculation, which is identical to that performed on the leakage model, on the sets of leakage data DO, which have been measured, to generate the calculated data (Step S 26 ).
  • the influence of the second variable only related to the secret key SK can be eliminated by performing the identical mathematical calculation on the plurality of sets of leakage data DO, and the measurement noise can be lowered as well.
  • the cracking device 100 determines the correlation between each set of simulation data and the calculated data (Step S 27 ). According to an embodiment of the invention, the cracking device 100 calculates the correlation coefficient between each set of simulation data and the calculated data to determine the correlation between each set of simulation data and the calculated data.
  • the cracking device 100 obtains the secret key SK used by the encrypting device 10 according to the correlation between the plurality of sets of simulation data and the calculated data (Step S 28 ).
  • the set of hypothesized keys corresponding to the set of simulation data should be the closest to the secret key SK used by the encrypting device 10 .
  • the cracking device 100 may hypothesize each part of the secret key SK and may generate a plurality of hypothesized keys for each part.
  • the cracking device 100 determines that some sets of hypothesized keys are consistent with the respective parts of the secret key SK, the cracking device 100 combines the hypothesized keys, which are consistent with the respective parts of the secret key SK, to obtain the secret key SK.
  • the cracking device 100 divides the secret key SK into the first part and the second part, and hypothesizes the first part to generate a plurality of sets of first hypothesized keys.
  • the cracking device 100 hypothesizes the second part to generate a plurality of sets of second hypothesized keys.
  • the cracking device 100 combines the first part and the second part to obtain the secret key SK.
  • FIG. 3 is a block diagram of a cracking device in accordance with an embodiment of the invention.
  • the cracking device 300 in FIG. 3 corresponds to the cracking device 100 in FIG. 1 .
  • the cracking device 300 includes the controller 310 and the non-volatile storage device 320 , in which the non-volatile storage device 320 is configured to store a plurality of instructions. After the controller 310 executes the plurality of instructions stored in the non-volatile storage device 320 , the controller 310 executes the respective steps of the cracking method in FIG. 2 .
  • the cracking device and the cracking method provided herein are configured to perform a mathematical calculation on the leakage model and a plurality of calculation data, not only is the complexity of data reduced, but the algorithm noise and the measurement noise are also effectively reduced.
  • the mathematical calculation that is performed on the leakage model and the calculation data may be configured to obtain a difference value between two different sets of input data. If necessary, the cracking device and the cracking method provided herein may also include other operations or other calculations, such as obtaining additional input data for eliminating the influence of the second variable related to the secret key.
  • the cracking device 100 divides the secret key SK into 128 parts to confirm their respective correlations, the number of times that the cracking device 100 has to confirm the correlation between the calculated data and the simulation data is reduced to 128, so that the amount of data that should be processed has been greatly reduced, saving data-processing time.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Evolutionary Computation (AREA)
  • Geometry (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

A cracking method for cracking a secret key of an encrypting device includes: building up a leakage model for the encrypting device; performing a mathematical calculation on the leakage model, according to a plurality of sets of input data, to generate a mathematical model; generating a plurality of sets of hypothesized keys; generating a plurality of sets of simulation data corresponding to the hypothesized keys using the mathematical model; providing the input data for the encrypting device and detecting a plurality of sets of leakage data generated by the encrypting device; performing the mathematical calculation on the leakage data to generate calculated data; determining a correlation between each of the simulation data and the calculated data; and determining one of the hypothesized keys to be consistent with the secret key according to the correlation.

Description

CROSS REFERENCE TO RELATED APPLICATIONS
This Application claims priority of China Patent Application No. 201610389877.3, filed on Jun. 3, 2016, the entirety of which is incorporated by reference herein.
BACKGROUND OF THE INVENTION Field of the Invention
The disclosure relates generally to cracking devices and methods for side-channel attacks, and more particularly relates to cracking devices and methods configured to perform a calculation on a leakage model of correlation power analysis for improving cracking efficiency.
Description of the Related Art
Since IOT devices are mostly unattended so as to be a great attacking target for hackers, the importance of physical security of IOT devices grows. Side-Channel Attacks (SCAs) utilize a device's physical properties such as power, electromagnetic waves, temperature, etc. to reveal the secret key and information of the targeted device. Research from side-channel attacks reveals the potential weaknesses of devices and hence makes designers aware of possible security breaches. In order to ensure the security of devices, designers have to take side-channel attacks into consideration in the design process, and test the designed IOT device using every kind of side-channel attack technique.
In order to shorten the cracking time of a side-channel attack, it is necessary to lower the measurement noise and algorithm noise for reducing the quantity of data that should be processed and the complexity of data, so as to improve the cracking efficiency.
BRIEF SUMMARY OF THE INVENTION
In an embodiment, a cracking method for cracking a secret key of an encrypting device comprises: building up a leakage model for the encrypting device; performing a mathematical calculation on the leakage model, according to a plurality of sets of input data, to generate a mathematical model; generating a plurality of sets of hypothesized keys; generating a plurality of sets of simulation data corresponding to the hypothesized keys using the mathematical model; providing the input data for the encrypting device and detecting a plurality of sets of leakage data generated by the encrypting device; performing the mathematical calculation on the leakage data to generate calculated data; determining a correlation between each of the simulation data and the calculated data; and determining one of the hypothesized keys to be consistent with the secret key according to the correlation.
In an embodiment, a cracking device for cracking a secret key of an encrypting device comprises: a controller; and a non-volatile storage device. The non-volatile storage device is configured to store a plurality of instructions. The controller executes the respective steps according to the instructions. The steps comprise: building up a leakage model for the encrypting device; performing a mathematical calculation on the leakage model, according to a plurality of sets of input data, to generate a mathematical model; generating a plurality of sets of hypothesized keys; generating a plurality of sets of simulation data corresponding to the hypothesized keys using the mathematical model; providing the input data for the encrypting device and detecting a plurality of sets of leakage data generated by the encrypting device; performing the mathematical calculation on the leakage data to generate calculated data; and determining one of the hypothesized keys to be consistent with the secret key according to a correlation between each of the simulation data and the calculated data.
A detailed description is given in the following embodiments with reference to the accompanying drawings.
BRIEF DESCRIPTION OF DRAWINGS
The invention can be more fully understood by reading the subsequent detailed description and examples with references made to the accompanying drawings, wherein:
FIG. 1 is a schematic diagram of a cracking device in accordance with an embodiment of the invention;
FIG. 2 is a flow chart of a cracking method in accordance with an embodiment of the invention; and
FIG. 3 is a block diagram of a cracking device in accordance with an embodiment of the invention.
 DETAILED DESCRIPTION OF THE INVENTION
This description is made for the purpose of illustrating the general principles of the invention and should not be taken in a limiting sense. In addition, the present disclosure may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed. The scope of the invention is best determined by reference to the appended claims.
It is understood that the following disclosure provides many different embodiments, or examples, for implementing different features of the application. Specific examples of components and arrangements are described below to simplify the present disclosure. These are, of course, merely examples and are not intended to be limiting. In addition, the present disclosure may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed. Moreover, the formation of a feature on, connected to, and/or coupled to another feature in the present disclosure that follows may include embodiments in which the features are formed in direct contact, and may also include embodiments in which additional features may be formed interposing the features, such that the features may not be in direct contact.
FIG. 1 is a schematic diagram of a cracking device in accordance with an embodiment of the invention. As shown in FIG. 1, the encrypting device 10 is configured to encrypt the input data DI according to the secret key SK and to generate the leakage data DO in the encrypting process. According to an embodiment of the invention, the leakage data DO may be timing information, an alarm, an indicating light, power consumption, leaked electromagnetic waves, etc. The cracking device 100 cracks the secret key SK of the encrypting device 10 according to a cracking method which will be described in detail in the following paragraphs.
FIG. 2 is a flow chart of a cracking method in accordance with an embodiment of the invention. For the sake of explaining the invention in detail, the explanation of FIG. 2 will be accompanied with FIG. 1. As shown in FIG. 1, the cracking device 100 builds up a leakage model for the encrypting device 10 (Step S21).
According to an embodiment of the invention, the leakage model is a function of the leakage data DO generated by the encrypting device 10 based on the input data DI and the secret key SK. That is, the leakage model generates the different leakage data DO with a first variable related to only the input data DI, a second variable related to only the secret key SK, and a third variable related to both the input data DI and the secret key SK.
In order to lower the algorithm noise, the cracking device 100 performs a mathematical calculation on the leakage model, according to a plurality of sets of input data DI, to generate a mathematical model (Step S22), for eliminating the second variable only related to the secret key SK. According to an embodiment of the invention, the simplest mathematical calculation is to perform a calculation of addition or subtraction on the leakage model, based on a plurality of sets of input data DI, to generate the mathematical model.
Then, the cracking device 100 hypothesizes the secret key SK used by the encrypting device 10 to generate a plurality of sets of hypothesized keys (Step S23). According to an embodiment of the invention, the secret key SK may be a 128-bit key. According to an embodiment of the invention, the cracking device 100 divides the secret key SK into several parts and hypothesizes each part of the secret key SK to generate a plurality of sets of hypothesized keys. It is illustrated that each part of the secret key SK includes 8 bits. The cracking device 100 hypothesizes 8 bits of the secret key SK to generate 28 sets of hypothesized keys. Compared to hypothesizing the 128-bit secret key SK to generate 2128 sets of hypothesized keys in an exhaustive search, the cracking device 100 provided herein can greatly reduce the number of hypothesized keys that are necessary, so that the cracking efficiency should be greatly improved.
The cracking device 100 further inputs the plurality of sets of hypothesized keys to the mathematical model to generate a plurality of sets of simulation data (Step S24). Since the influence of the second variable related to only the secret key SK has been removed from the mathematical model using the mathematical calculation, the plurality of sets of simulation data are merely related to the first variable and the third variable.
On the other hand, the cracking device 100 also provides the plurality of sets of input data DI for the encrypting device 10 to detect a plurality of sets of leakage data DO generated by the encrypting device 10 based on the input data DI and the secret key SK (Step S25). For the sake of properly comparing the plurality of sets of simulation data with the plurality of sets of leakage data DO, the cracking device 100 performs the mathematical calculation, which is identical to that performed on the leakage model, on the sets of leakage data DO, which have been measured, to generate the calculated data (Step S26). According to an embodiment of the invention, the influence of the second variable only related to the secret key SK can be eliminated by performing the identical mathematical calculation on the plurality of sets of leakage data DO, and the measurement noise can be lowered as well.
Then, the cracking device 100 determines the correlation between each set of simulation data and the calculated data (Step S27). According to an embodiment of the invention, the cracking device 100 calculates the correlation coefficient between each set of simulation data and the calculated data to determine the correlation between each set of simulation data and the calculated data.
In addition, the cracking device 100 obtains the secret key SK used by the encrypting device 10 according to the correlation between the plurality of sets of simulation data and the calculated data (Step S28). According to an embodiment of the invention, when one of the sets of simulation data has the highest correlation coefficient, which means the set of simulation data is the closest to the calculated data, the set of hypothesized keys corresponding to the set of simulation data should be the closest to the secret key SK used by the encrypting device 10.
According to another embodiment of the invention, the cracking device 100 may hypothesize each part of the secret key SK and may generate a plurality of hypothesized keys for each part. When the cracking device 100 determines that some sets of hypothesized keys are consistent with the respective parts of the secret key SK, the cracking device 100 combines the hypothesized keys, which are consistent with the respective parts of the secret key SK, to obtain the secret key SK.
For example, the cracking device 100 divides the secret key SK into the first part and the second part, and hypothesizes the first part to generate a plurality of sets of first hypothesized keys. When determining that the first part is consistent with one of the first hypothesized keys, the cracking device 100 hypothesizes the second part to generate a plurality of sets of second hypothesized keys. When determining that the second part is consistent with one of the second hypothesized keys, the cracking device 100 combines the first part and the second part to obtain the secret key SK.
FIG. 3 is a block diagram of a cracking device in accordance with an embodiment of the invention. The cracking device 300 in FIG. 3 corresponds to the cracking device 100 in FIG. 1. As shown in FIG. 3, the cracking device 300 includes the controller 310 and the non-volatile storage device 320, in which the non-volatile storage device 320 is configured to store a plurality of instructions. After the controller 310 executes the plurality of instructions stored in the non-volatile storage device 320, the controller 310 executes the respective steps of the cracking method in FIG. 2.
Since the cracking device and the cracking method provided herein are configured to perform a mathematical calculation on the leakage model and a plurality of calculation data, not only is the complexity of data reduced, but the algorithm noise and the measurement noise are also effectively reduced. According to an embodiment of the invention, the mathematical calculation that is performed on the leakage model and the calculation data may be configured to obtain a difference value between two different sets of input data. If necessary, the cracking device and the cracking method provided herein may also include other operations or other calculations, such as obtaining additional input data for eliminating the influence of the second variable related to the secret key.
In addition, when providing N sets of input data DI and performing a mathematical calculation on two of the N sets of input data DI, C2 Nsets of calculation data are obtained, such that the amount of calculation data required can be greatly increased by performing the mathematical calculation. Furthermore, it is assumed that the secret key SK is 128 bits, such that the correlation between the calculation data and the simulation data needs to be confirmed 2128 times using an exhaustive search. However, the cracking device and the cracking method provided herein divide the secret key SK into 128 parts to confirm their respective correlations. That is, when the cracking device 100 divides the secret key SK into 128 parts to confirm their respective correlations, the number of times that the cracking device 100 has to confirm the correlation between the calculated data and the simulation data is reduced to 128, so that the amount of data that should be processed has been greatly reduced, saving data-processing time.
While the invention has been described by way of example and in terms of preferred embodiment, it is to be understood that the invention is not limited thereto. Those who are skilled in this technology can still make various alterations and modifications without departing from the scope and spirit of this invention. Therefore, the scope of the present invention shall be defined and protected by the following claims and their equivalents.

Claims (12)

What is claimed is:
1. A cracking method for cracking a secret key of an encrypting device, comprising:
building up a leakage model for the encrypting device;
performing a mathematical calculation on the leakage model, according to a plurality of sets of input data, to generate a mathematical model;
generating a plurality of sets of hypothesized keys;
generating a plurality of sets of simulation data corresponding to the hypothesized keys using the mathematical model;
providing the input data for the encrypting device and detecting a plurality of sets of leakage data generated by the encrypting device;
performing the mathematical calculation on the leakage data to generate calculated data;
determining a correlation between each of the simulation data and the calculated data; and
determining one of the hypothesized keys to be consistent with the secret key according to the correlation.
2. The cracking method in claim 1, wherein the step of determining one of the hypothesized keys to be consistent with the secret key according to the correlation further comprises:
calculating a correlation coefficient between each of the simulation data and the calculated data;
selecting one of the simulation data as target data according to the correlation coefficient, wherein the correlation coefficient of the target data is the highest; and
determining one of the hypothesized keys corresponding to the target data to be consistent with the secret key.
3. The cracking method in claim 1, wherein the leakage model generates the different leakage data according to a first variable related to the input data, a second variable related to the hypothesized keys, and a third variable related to both the input data and the hypothesized keys, wherein the mathematical calculation is configured to eliminate the influence of the second variable of the leakage model.
4. The cracking method in claim 3, wherein the encrypting device encrypts the input data, according to the secret key, to generate the different leakage data, wherein the mathematical calculation is further configured to eliminate the influence of the second variable of the encrypting device.
5. The cracking method in claim 1, wherein the step of generating the hypothesized keys further comprises:
dividing the secret key into N parts; and
hypothesizing each of the N parts of the secret key to generate N times the sets of hypothesized keys;
wherein after one of the hypothesized keys, which corresponds to a selected one of the N parts of the secret key, is determined to be consistent with the selected one of the N parts of the secret key, another of the N parts of the secret key is then hypothesized.
6. The cracking method in claim 5, wherein the step of determining one of the hypothesized keys to be consistent with the secret key further comprises:
determining one of the hypothesized keys corresponding to each of the N parts to be consistent with each of the N parts of the secret key; and
combining all the N hypothesized keys to obtain the secret key.
7. A cracking device for cracking a secret key of an encrypting device, comprising:
a controller; and
a non-volatile storage device, configured to store a plurality of instructions, wherein the controller executes the respective steps according to the instructions, wherein the steps comprise:
building up a leakage model for the encrypting device;
performing a mathematical calculation on the leakage model, according to a plurality of sets of input data, to generate a mathematical model;
generating a plurality of sets of hypothesized keys;
generating a plurality of sets of simulation data corresponding to the hypothesized keys using the mathematical model;
providing the input data for the encrypting device and detecting a plurality of sets of leakage data generated by the encrypting device;
performing the mathematical calculation on the leakage data to generate calculated data; and
determining one of the hypothesized keys to be consistent with the secret key according to a correlation between each of the simulation data and the calculated data.
8. The cracking device in claim 7, wherein the step of determining one of the hypothesized keys to be consistent with the secret key further comprises:
calculating a correlation coefficient between each of the simulation data and the calculated data;
selecting one of the simulation data as target data according to the correlation coefficient, wherein the correlation coefficient of the target data is the highest; and
determining the hypothesized keys corresponding to the target data to be consistent with the secret key.
9. The cracking device in claim 7, wherein the leakage model generates the different leakage data according to a first variable related to the input data, a second variable related to the hypothesized keys, and a third variable related to both the input data and the hypothesized keys, wherein the mathematical calculation is configured to eliminate the influence of the second variable of the leakage model.
10. The cracking device in claim 9, wherein the encrypting device encrypts the input data, according to the secret key, to generate the different leakage data, wherein the mathematical calculation is further configured to eliminate the influence of the second variable of the encrypting device.
11. The cracking device in claim 7, wherein the step of generating the hypothesized keys further comprises:
dividing the secret key into N parts; and
hypothesizing each of the N parts of the secret key to generate N times the sets of hypothesized keys;
wherein after one of the hypothesized keys, which corresponds to a selected one of the N parts of the secret key, is determined to be consistent with the selected one of the N parts of the secret key, another of the N parts of the secret key is then hypothesized.
12. The cracking device in claim 11, wherein the step of determining one of the hypothesized keys to be consistent with the secret key further comprises:
determining one of the hypothesized keys corresponding to each of the N parts to be consistent with each of the N parts of the secret key; and
combining all the N hypothesized keys to obtain the secret key.
US15/598,053 2016-06-03 2017-05-17 Cracking devices and methods thereof Active 2037-12-12 US10277392B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
CN201610389877.3A CN107465645A (en) 2016-06-03 2016-06-03 Breaking device and method
CN201610389877.3 2016-06-03
CN201610389877 2016-06-03

Publications (2)

Publication Number Publication Date
US20170353295A1 US20170353295A1 (en) 2017-12-07
US10277392B2 true US10277392B2 (en) 2019-04-30

Family

ID=60483967

Family Applications (1)

Application Number Title Priority Date Filing Date
US15/598,053 Active 2037-12-12 US10277392B2 (en) 2016-06-03 2017-05-17 Cracking devices and methods thereof

Country Status (2)

Country Link
US (1) US10277392B2 (en)
CN (1) CN107465645A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7599488B2 (en) * 1998-01-02 2009-10-06 Cryptography Research, Inc. Differential power analysis
US20110268266A1 (en) * 2008-12-09 2011-11-03 Kabushiki Kaisha Toshiba Cryptographic processing apparatus and operation method
CN104811295A (en) 2015-05-05 2015-07-29 国家密码管理局商用密码检测中心 Side channel energy analysis method for ZUC cryptographic algorithm with mask protection
US20160140340A1 (en) * 2014-11-19 2016-05-19 The Mitre Corporation Side-channel leakage evaluator and analysis kit
US20160140274A1 (en) * 2013-06-21 2016-05-19 Cryptography Research, Inc. Energy analysis for differential power analysis resistance
US20180365195A1 (en) * 2015-12-11 2018-12-20 Institut Mines-Telecom Methods and devices for estimating secret values

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7599488B2 (en) * 1998-01-02 2009-10-06 Cryptography Research, Inc. Differential power analysis
US20110268266A1 (en) * 2008-12-09 2011-11-03 Kabushiki Kaisha Toshiba Cryptographic processing apparatus and operation method
US20160140274A1 (en) * 2013-06-21 2016-05-19 Cryptography Research, Inc. Energy analysis for differential power analysis resistance
US20160140340A1 (en) * 2014-11-19 2016-05-19 The Mitre Corporation Side-channel leakage evaluator and analysis kit
CN104811295A (en) 2015-05-05 2015-07-29 国家密码管理局商用密码检测中心 Side channel energy analysis method for ZUC cryptographic algorithm with mask protection
US20180365195A1 (en) * 2015-12-11 2018-12-20 Institut Mines-Telecom Methods and devices for estimating secret values

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Eric Brier et al.; "Correlation Power Analysis with a Leakage Model"; 2004; pp. 1-14; Gemplus Card International, France.
Paul Kocher et al.; "Differential Power Analysis"; CRYPTO'99, LNCS 1666, 1999, pp. 388-397.
S'Ebastien Aumonier; "Generalized Correlation Power Analysis"; Sep. 2007; pp. 1-11; Oberthur Card Systems SA.

Also Published As

Publication number Publication date
CN107465645A (en) 2017-12-12
US20170353295A1 (en) 2017-12-07

Similar Documents

Publication Publication Date Title
JP6058245B2 (en) Random number expansion apparatus, random number expansion method and random number expansion program
CN108604981B (en) Method and apparatus for estimating secret value
CN109417466B (en) Secret key estimation method and device
EP3143720A1 (en) Differential power analysis countermeasures
US20180287779A1 (en) White-box cryptography method and apparatus for preventing side channel analysis
Zadeh et al. Simple power analysis applied to nonlinear feedback shift registers
CN114239082A (en) Anti-attack Internet of things security chip, method and device integrating national cryptographic algorithm
Hosey et al. Advanced analysis of cell stability for reliable SRAM PUFs
KR101623493B1 (en) Appropriate Countermeasure against Side Channel Analysis on Cryptogram Generating Process of Financial IC Cards
JP2007155715A (en) System and method for verifying metadata during measuring processing
Bellizia et al. Template attacks exploiting static power and application to CMOS lightweight crypto‐hardware
CN112260818A (en) Side channel curve enhancement method, side channel attack method and side channel attack device
Immler et al. Take a moment and have some t: Hypothesis testing on raw PUF data
Hu et al. Multi-leak deep-learning side-channel analysis
CN106357378B (en) Key detection method and its system for SM2 signature
US20220414227A1 (en) Side-channel attack on hmac-sha-2 and associated testing
Wang et al. New methods of template attack based on fault sensitivity analysis
Ahmed et al. Design of Lightweight Cryptography based Deep Learning Model for Side Channel Attacks
US10277392B2 (en) Cracking devices and methods thereof
Zhang et al. On Trojan side channel design and identification
JP5979750B2 (en) Side channel evaluation apparatus and side channel evaluation method
Hu et al. Software implementation of aes-128: Side channel attacks based on power traces decomposition
KR102554852B1 (en) Method and apparatus for side channel analysis for rsa encryption using artifical neural network
US20160004591A1 (en) Method and device for processing data
Wen et al. A novel PUF architecture against non-invasive attacks

Legal Events

Date Code Title Description
AS Assignment

Owner name: WINBOND ELECTRONICS CORP., TAIWAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LEE, SUNG-SHINE;CHUNG, SZU-CHI;YU, CHUN-YUAN;AND OTHERS;REEL/FRAME:042423/0899

Effective date: 20170510

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE

FEPP Fee payment procedure

Free format text: SURCHARGE FOR LATE PAYMENT, LARGE ENTITY (ORIGINAL EVENT CODE: M1554); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4